Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with LDAP domain.

This article talks about the various configuration that needs to be performed by a customer to enable user status.

2. Creation of Privileged Account

To create the privileged accounts, follow steps

Before we can integrate the PUM to use authentication domain, the account domain details needs to be added to PUM manager. PUM manager supports creation of the account domain under the command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:

2.1 Goto Home/Command Control console -> Privileged Accounts.2.2 Now choose the option Add Account Domain to add a new account domain to PUM manager framework.2.3 Provide all the details as shown in the picture below. Name and SSH host should be network device IP address.

We have created an authentication domain for admin users. We can add more accounts to the this authentication group, follow steps below for adding non admin authentication accounts.

2.4 – Goto Home/Command Control console -> Privileged Accounts. And select the privileged account which we created in the step before. Click on the add credential on the left.

4. Creation of Command Control Rule

After adding the Privileged account details and User group, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:

4.1 Goto Home/Command Control -> Rules.4.2 Choose Add rule option from the left panel and add 2 rules “Admin Rule for Router” and “Non Admin Rule for Router”4.3 Modify Admin Rule for Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as cisco@192.178.1.254 and run user as cisco.

4.4 Modify Non Admin Rule for Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as nonadmin@192.178.1.254 and run user as nonadmin.

5. How to Execute Rules

After adding the Privileged account details and command group and rules, the next step is to execute the commands, follow below steps.

5.1 Connect to the router etc using SSH client and login as admin user i.e “cisco”.

FOR ADMIN COMMANDS5.2 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <cisco@Router_IP_address> <any command which is part of admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will be executed.5.3 On the shell prompt execute “ssh -t -p 2222 admin@<PUM Manager_IP_address> <cisco@Router_IP_address> <any command which is not part of admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will not be executed. And user will receive an permission denied message.

FOR NON ADMIN COMMANDS5.4 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is part of nonadmin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will be executed.

5.5 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is not part of non admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will not be executed. And user will receive an permission denied message.

By this way command control access can be achieved using NPUM.

6. Glossary of Terms

PUM – Privileged User Manager

SSH – Secure Shell

(1 votes, average: 1.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.